Communication between a communication device and a network device
Abstract
A first network device of a first communication network obtains a challenge, generates a first PFS parameter, obtains a first verification code for the first PFS parameter, and sends the challenge, the first PFS parameter and the first verification code to a communication device, which in turn receives the challenge, the first PFS parameter and the first verification code, forwards the challenge or a derivative thereof to an identity module, receives at least one result parameter as response from the identity module, determines, based on the result parameter, whether the first PFS parameter is authentic, and if the determination is positive generates and sends the second PFS parameter to the first network device, which in turn verifies the second PFS parameter.
Claims
exact text as granted — not AI-modifiedThe invention claimed is:
1. A communication device for communicating with a network device of a communication network, the communication device being configured to perform operations comprising:
receiving, at the communication device, a challenge, a first perfect forward secrecy (PFS) parameter, and a first verification code from the network device;
forwarding, by the communication device, a derivative of the challenge to an identity module,
receiving, at the communication device, a result parameter as response from the identity module,
determining, based on the result parameter, that the first PFS parameter is authentic;
sending, by the communication device, a second PFS parameter to the network device based on the determination that the first PFS parameter is authentic; and
generating a session key for communication between the communication device and the network device, the session key being based on the first and second PFS parameters.
2. The communication device according to claim 1 , wherein the session key is based on first and second values used for generating the first and second PFS parameters, respectively.
3. The communication device according to claim 1 , wherein the session key is based on the first PFS parameter and an exponent of the second PFS parameter.
4. The communication device according to claim 1 , wherein the communication device comprises a mobile equipment that is configured to perform the operations of claim 1 .
5. The communication device according to claim 1 ,
wherein the communication device comprises the identity module, and
wherein the identity module performs key and cryptographic processing operations.
6. The communication device according to claim 1 , wherein the first and second PFS parameters are Diffie-Hellman parameters.
7. The communication device according to claim 1 , wherein the first verification code comprises a message authentication code based on the first PFS parameter.
8. The communication device according to claim 1 , wherein the derivative is identical to the challenge.
9. The communication device according to claim 1 , wherein the derivative is a hash of the challenge.
10. The communication device according to claim 1 ,
wherein the challenge, the first PFS parameter, the first verification code, and a challenge verification code are received in an authentication request message from the network device,
wherein the result parameter comprises a response parameter that is responsive to the challenge, and
wherein the sending of the second PFS parameter comprises sending the second PFS parameter, a second verification code, and the response parameter in an authentication response message.
11. The communication device according to claim 10 ,
wherein the authentication request message comprises the first verification code in a corresponding separate information element of the authentication request message, and
wherein the determining that the first PFS parameter is authentic is based on the first verification code.
12. The communication device according to claim 10 ,
wherein the first verification code is provided as at least part of the challenge verification code, and
wherein the determining that the first PFS parameter is authentic is based on the identity module providing the result parameter.
13. The communication device according to claim 12 , wherein the challenge is based on the first PFS parameter.
14. The communication device according to claim 10 , being further configured to perform operations comprising:
generating the second verification code based on the response parameter,
wherein the authentication response message comprises the second verification code in an information element assigned to the response parameter.
15. The communication device according to claim 10 , wherein the second verification code is generated as a message authentication code based on the second PFS parameter.
16. The communication device according to claim 7 , wherein the message authentication code is based on HMAC/SHA-256.
17. A method for a communication device in communication with a network device of a communication network, the method being performed by the communication device and comprising:
receiving, at the communication device, a challenge, a first perfect forward secrecy (PFS) parameter, and a first verification code from the network device;
forwarding, by the communication device, a derivative of the challenge to an identity module,
receiving, at the communication device, a result parameter as response from the identity module,
determining, based on the result parameter, that the first PFS parameter is authentic;
sending, by the communication device, a second PFS parameter to the network device based on the determination that the first PFS parameter is authentic; and
generating a session key for communication between the communication device and the network device, the session key being based on the first and second PFS parameters.
18. The method according to claim 17 , wherein the session key is based on first and second values used for generating the first and second PFS parameters, respectively.
19. The method according to claim 17 , wherein the session key is based on the first PFS parameter and an exponent of the second PFS parameter.
20. The method according to claim 17 ,
wherein the challenge, the first PFS parameter, the first verification code, and a challenge verification code are received in an authentication request message,
wherein the result parameter comprises a response parameter received as a response to the challenge, and
wherein the sending of the second PFS parameter comprises sending the second PFS parameter, a second verification code, and the response parameter in an authentication response message.
21. The method according to claim 20 ,
wherein the authentication request message comprises the first verification code in a corresponding separate information element of the authentication request message, and
wherein the determining that the first PFS parameter is authentic is based on the first verification code.
22. The method according to claim 20 ,
wherein the first verification code is provided as at least a part of the challenge verification code, and
wherein the determining that the first PFS parameter is authentic is based on the identity module providing the result parameter.
23. The method according to claim 20 , further comprising:
generating the second verification code based on the response parameter,
wherein the authentication response message comprises the second verification code in an information element of the authentication response message assigned to the response parameter.
24. The method according to claim 17 , wherein the derivative is identical to the challenge.
25. The method according to claim 17 , wherein the derivative is a hash of the challenge.
26. A computer program product comprising a non-transitory computer-readable storage medium storing program code for a communication device in communication with a network device of a communication network, the program code, which when run in the communication device, causes the communication device to perform operations comprising:
receiving a challenge, a first perfect forward secrecy (PFS) parameter, and a first verification code from the network device;
forwarding a derivative of the challenge to an identity module;
receiving a result parameter as response from the identity module;
determining, based on the result parameter that the first PFS parameter is authentic;
sending a second PFS parameter to the network device based on the determination that the first PFS parameter is authentic; and
generating a session key for communication between the communication device and the network device, the session key being based the first and second PFS parameters.
27. A first network device of a first communication network, the first network device being configured to perform operations comprising:
obtaining a challenge;
obtaining a first perfect forward secrecy (PFS) parameter;
obtaining a first verification code for the first PFS parameter;
sending, by the first network device, the challenge, the first PFS parameter, and the first verification code to a communication device;
receiving, at the first network device, a second PFS parameter, a second verification code, and a response parameter from the communication device;
determining that the response parameter is authentic;
verifying the second PFS parameter based on the second verification code; and
computing a session key for communication between the communication device and the first network device, the session key being based on the first and second PFS parameters.
28. The first network device according to claim 27 , wherein the session key is based on first and second values used for generating the first and second PFS parameters, respectively.
29. The first network device according to claim 27 , wherein the session key is based on the second PFS parameter and an exponent of the first PFS parameter.
30. The first network device according to claim 27 ,
wherein obtaining the challenge comprises obtaining the challenge and a challenge verification code,
wherein the challenge, the first PFS parameter, the first verification code, and the challenge verification code are sent in an authentication request, and
wherein the second PFS parameter, the second verification code, and the response parameter are received in an authentication response message.
31. The first network device according to claim 30 ,
wherein obtaining the first verification code comprises generating the first verification code using the first PFS parameter, and
wherein the first verification code is sent in a corresponding separate information element of the authentication request message.
32. The first network device according to claim 30 ,
wherein obtaining the first PFS parameter comprises receiving a value x used for generating the first PFS parameter,
wherein the first verification code is obtained as at least part of the challenge verification code, and
wherein the first verification code is sent as at least part of the challenge verification code.
33. The first network device according to claim 30 , further comprising:
obtaining an expected challenge result before sending the challenge to the communication device,
wherein determining that the response parameter is authentic is based on a comparison of the response parameter with the expected challenge result.
34. The first network device according to claim 30 ,
wherein the response parameter is received in the authentication response message through the second verification code being based on the response parameter and the first network device,
wherein the second verification code is received in an information element of the authentication response message assigned to the response parameter, and
wherein determining that the response parameter is authentic and verifying the second PFS parameter are performed simultaneously using the second verification code.
35. A method for a first network device of a first communication network, the method being performed by the first network device and comprising the steps of:
obtaining a challenge;
obtaining a first perfect forward secrecy (PFS) parameter;
obtaining a first verification code for the first PFS parameter;
sending the challenge, the first PFS parameter and the first verification code to a communication device;
receiving a second PFS parameter, a second verification code and a response parameter from the communication device;
determining that the response parameter is authentic;
verifying the second PFS parameter based on the second verification code; and
computing a session key for communication between the communication device and the first network device, the session key being based on the first and second PFS parameters.
36. The method according to claim 35 , wherein the session key is based on first and second values used for generating the first and second PFS parameters, respectively.
37. The method according to claim 35 , wherein the session key is based on the second PFS parameter and an exponent of the first PFS parameter.
38. The method according to claim 35 ,
wherein the obtaining the challenge comprises obtaining the challenge and a challenge verification code,
wherein the challenge, the first PFS parameter, the first verification code, and the challenge verification code are sent in an authentication request message, and
wherein the second PFS parameter, the second verification code, and the response parameter are received in an authentication response message.
39. The method according to claim 38 ,
wherein the obtaining of the first verification code comprises generating the first verification code using the first PFS parameter, and
wherein the first verification code is sent in a corresponding separate information element of the authentication request message.
40. The method according to claim 38 ,
wherein the obtaining of the first PFS parameter further comprises receiving a value used for generating the first PFS parameter,
wherein the first verification code is obtained as at least part of the challenge verification code, and
wherein the first verification code is sent as at least part of the challenge verification code.
41. The method according to claim 38 , further comprising:
obtaining an expected challenge result before sending the challenge to the communication device,
wherein the determining that the response parameter is authentic is based on a comparison of the response parameter with the expected challenge result.
42. The method according to claim 38 ,
wherein the response parameter is received in the authentication response message through the second verification code being based on the response parameter,
wherein the second verification code is received in an information element of the authentication response message assigned to the response parameter, and
wherein the determining that the response parameter is authentic and the verifying of the second PFS parameter are performed simultaneously using the second verification code.
43. A computer program product comprising a non-transitory computer-readable storage medium storing program code for a first network device of a first communication network, the program code, which when run in the first network device, causes the first network device to perform operations comprising:
obtaining a challenge;
obtaining a first perfect forward secrecy (PFS) parameter;
obtaining a first verification code for the first PFS parameter;
sending the challenge, the first PFS parameter, and the first verification code to a communication device;
receiving a second PFS parameter, a second verification code, and a response parameter from the communication device;
determining that the response parameter is authentic;
verifying the second PFS parameter based on the second verification code; and
computing a session key for communication between the communication device and the first network device, the session key being based on the first and second PFS parameters.
44. A system comprising a first network device of a first communication network and a second network device in a second communication network,
the second network device being configured to send a challenge to the first network device,
the first network device being configured to perform operations including:
receiving, at the first network device, the challenge;
obtaining a first perfect forward secrecy (PFS) parameter;
obtaining a first verification code for the first PFS parameter,
sending, by the first network device, the challenge, the first PFS parameter, and the first verification code to a communication device;
receiving, at the first network device, a second PFS parameter, a second verification code, and a response parameter from the communication device;
determining that the response parameter is authentic;
verifying the second PFS parameter based on the second verification code; and
computing a session key for communication between the communication device and the first network device, the session key being based on the first and second PFS parameters.
45. The system according to claim 44 ,
wherein the second network device is configured to send a first value to the first network device,
where the first network device is configured to generate the first PFS parameter based on the first value and to send the first verification code as a challenge verification code to the communication device.
46. A second network device for a second communication network, the second network device being configured to perform operations comprising:
receiving, at the second network device from a first network device of a first communication network, a request for authentication data related to an identity module of a communication device, for a communication session between the first network device and the communication device;
generating a first perfect forward secrecy (PFS) parameter for the communication session between the first network device and the communication device;
generating a first verification code based on the first PFS parameter and a key shared between the second network device and the identity module; and
sending in response to the request, by the second network device to the first network device, the first verification code and a value from which the first PFS parameter is derived.
47. The second network device according to claim 46 , wherein the value from which the first PFS parameter is derived comprises the first PFS parameter.
48. The second network device according to claim 46 , wherein the first PFS parameter comprises a Diffie-Hellman parameter and the value from which the first PFS parameter is derived comprises an exponent of the Diffie-Hellman parameter.
49. The communication device according to claim 1 ,
wherein the challenge comprises the first PFS parameter,
wherein the communication device is further configured to verify the first PFS parameter using the first verification code,
wherein the communication device is further configured to generate a second verification code for the second PFS parameter, and
wherein sending the second PFS parameter to the network device comprises sending the second PFS parameter and a message authentication code to the network device, the message authentication code being based on the result parameter and the second PFS parameter.
50. The first network device according to claim 27 ,
wherein the challenge comprises the first PFS parameter,
wherein the first network device is further configured to obtain an authorization token for the challenge, the authorization token comprising the first verification code,
wherein sending the challenge, the first PFS parameter, and the first verification code to the communication device comprises sending the challenge comprising the first PFS parameter and sending the authorization token comprising the first verification code to the communication device, and
wherein the second verification code comprises a message authentication code that is based on the response parameter and the second PFS parameter.
51. The first network device according to claim 27 , further configured to obtain an expected result parameter before sending the challenge and the first PFS parameter to the communication device, wherein the verifying the second PFS parameter is based on the second verification code and the expected result parameter.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.